Rethinking IT Security
- 14:00 8th June 2018 ( Trinity Term 2018 )Tony Hoare Room, Robert Hooke Building
Abstract
This talk provides provocative new ways of looking at IT security and how we can realistically solve the lack of IT security long term. It is frequently said that people have a problem seeing the trees from the forest, but this talk inverts the saying and implies that it seems to be hard for people to see the forest from the trees. Pointing out, that people have been looking for solutions addressing IT security within their own companies or environments, instead of thinking of ways to address and solve the lack of IT security on a large scale.
The talk is partially based on the speakers book, which was published in June of last year. The author will introduce the “Eyjafjallajökull” methodology. The talk will also address a couple of relatively recent data breaches that affected Iceland, where in one case, private information on a quarter of the population got leaked online (including cleartext passwords and email addresses). A security awareness experiment related to one of the data breaches will be covered and lessons learned.
Outline
1. Discuss two recent data breaches that affected Iceland. Telecommunication company in Iceland (which took place in Iceland), private data of a quarter of the population in Iceland (including clear text passwords, e-mail addresses, SMS text messages) + Linkedin data breach. Legal implications and penalties. Briefly mention the GDPR.
2. Cover a security awareness experiment, the speaker performed, relating to the Linkedin data breach on affected Iceland specific email addresses (lots of funny stuff, but also lots of interesting stuff).
3. Shortly cover key results of research the speaker performed relating to the state of network security in Iceland five years ago. (If It looks like I won't have time to cover all 8 points during the one hour allocated, then I may skip this point = (3.))
4. Cover key results from research on the state of security of government websites in Iceland, which the speaker was commissioned to do by the Ministry of The Interior in Iceland 3 years ago and again last year.
5. Cover action the Ministry of Interior performed two years ago (with the assistance of the speaker). Introducing a contract annex for use with third parties, which was published as well as risk assessment template and risk assessment guidelines (+ really quick run through of roughly 20 controls from the annex). Also cover the improvements achieved due to the assessment and support given.
6. The current state of IT Security. The problem as it has been described by most IT security leaders (Micro). The way the speaker sees the problem (Macro). The “Eyjafjallajökull” methodology will be introduced.
Various education levels
Various industries
Vendor certifications
Impacting the bottom line
7. Future perspectives, licensing models, call to action (based on the “Eyjafjallajökull” methodology).
8. Questions and Answers
Takeaways
Attendees will:
- See the IT security problem we face today with a new perspective.
- Be inspired to change the world for the better (Eyjafjallajökull methodology).
- Go home with a lot of thought provoking questions relating to how we can address the lack of IT security.
- Hopefully a lot of common assumptions will be cleared up, and if attendees will adapt parts of the contract annex (or as a whole), they may end up preventing data breaches and increase their security.
Speaker bio
Svavar Ingi Hermannsson is one of Iceland’s leading experts in information security. He has been specializing in IT security and software development for the last 20 years and has held various roles in programming and IT Security consulting with vast experience in penetration testing, vulnerability assessment, code auditing, information security management - including ISO/IEC 27001, PCIDSS and PADSS. These roles include a manager position at KPMG, as well as a CISO position at one of the leading mobile payment application company in Iceland.Svavar has taught classes at the University of Iceland and the University of Reykjavik.
Svavar was the chairman of the information security focus group at the Icelandic Computer Society from 2007-2012.
Svavar has given talks at multiple events in Iceland, the UK, Germany, Ukraine, Sweden, United Arab Emirates and the US, including OWASP, ISC2 Secure Summits, BSides, Hacker Halted Europe and UISGCon.
Svavar is a lifetime member of OWASP and holds various certifications, including CISSP, CISA and CISM.